Hello, Everyone:<br><br>I've been looking at fireehol to configure the firewalls on my machines.<br><br>Is firehol still under active support and bugfixes? <br><br>I ask because I'm not sure firehol's configurations works correctly for DNS and email servers.
<br><br>When I use a config file like shown below, I found that packets returning from DNS requests were sometimes being blocked, and incoming connections to port 25 were also sometimes blocked. (Even when all rules had 'client all accept' and 'server all accept'.)
<br><br>Do people use this firewall on real, working mail and DNS servers? Am I making some sort of mistake in my configs? I would love to get firehol working for my purposes.<br><br>I look forward to hearing back.<br> -- jrobinson (configuration file follows)
<br><br>-------------------------<br>Below is the config file I was using (with IPs changed):<br>--------------------<br><br>#!/etc/rc.d/init.d/firehol<br>#<br># THREE RULESETS: dst-publicip, dst-privateip, dst-world<br>#
<br><br>FIREHOL_LOG_MODE="ULOG"<br>#FIREHOL_LOG_OPTIONS=" --log-tcp-options --log-ip-options"<br>#FIREHOL_ULOG_OPTIONS=" --log-tcp-options --log-ip-options --ulog-cprange 0 "<br>#FIREHOL_LOG_OPTIONS="--log-level info --log-tcp-options --log-ip-options -ll"
<br>FIREHOL_LOG_OPTIONS="--ulog-cprange 0"<br><br><br>interface eth0 dst-publicip dst <a href="http://205.22.12.74/32">205.22.12.74/32</a><br><br> # The default policy is DROP. You can be more polite with REJECT.
<br> # Prefer to be polite on your own clients to prevent timeouts.<br> policy drop<br><br> # If you don't trust the clients <br> # add something like this.<br> # protection strong<br><br> # Here are the services listening on eth0.
<br> server smtp accept<br> server ICMP accept<br> #server mysql accept<br> server ntp accept<br> server webmin accept<br> server http accept<br> server dns accept<br> server ssh accept<br> server pop3 accept
<br> server imaps accept<br> server https accept<br> server all accept<br><br> client smtp accept<br> client dns accept<br> client ICMP accept<br> client ssh accept<br> client pop3 accept<br> client http accept
<br> client imaps accept<br> client https accept<br> client ntp accept<br><br> client all accept<br><br>interface eth1 dst-privateip dst <a href="http://192.168.1.3/32">192.168.1.3/32</a><br><br> # The default policy is DROP. You can be more polite with REJECT.
<br> # Prefer to be polite on your own clients to prevent timeouts.<br> #policy drop<br> policy reject<br><br> # If you don't trust the clients behind eth1 (net "<a href="http://192.168.1.0/24">192.168.1.0/24
</a>"),<br> # add something like this.<br> # > protection strong<br><br> # Here are the services listening on eth1.<br> # TODO: Normally, you will have to remove those not needed.<br> server ICMP accept
<br> #server mysql accept<br> server ntp accept<br> server smtp accept<br> server webmin accept<br> server http accept<br> server dns accept<br> server ssh accept<br> server https accept<br> server all accept
<br><br> client dns accept<br> client ICMP accept<br> client smtp accept<br> client ssh accept<br> client https accept<br><br> client all accept <br><br><br>interface eth0 dst-outside dst not "<a href="http://192.168.1.3">
192.168.1.3</a> <a href="http://205.22.12.74">205.22.12.74</a>"<br><br> # The default policy is DROP. You can be more polite with REJECT.<br> # Prefer to be polite on your own clients to prevent timeouts.<br> policy drop
<br> #policy reject<br><br> # If you don't trust the clients behind eth1 (net "<a href="http://192.168.1.0/24">192.168.1.0/24</a>"),<br> # add something like this.<br> # > protection strong<br><br>
# Here are the services listening on eth1.<br> # TODO: Normally, you will have to remove those not needed.<br> server ICMP accept<br> #server mysql accept<br> server ntp accept<br> server smtp accept<br>
server webmin accept<br> server http accept<br> server dns accept<br> server ssh accept<br> server https accept<br> server imaps accept<br> server all accept<br><br> client ICMP accept<br> client dns accept
<br> client smtp accept<br> client ssh accept<br> client https accept<br> client http accept <br> client imaps accept<br><br> client all accept<br> # for now, we let all traffic out<br>